Basic security measures for beginners

[ElixBerd]

Hi, I'm a new XRay user from Russia and quite a noob at all this networking stuff. Although I've been diligently reading up on all sorts of tutorials and posts here, there are some walls I can't overcome on my own. So I've set up an xray service on a VPS and set-up clients on my devices. It works so far. But I'm concerned about the future possibility of my VPS being flagged as a VPN/proxy and being blocked, and wanted to know your advice on proper security measures to avoid this as much as possible. I can see that there are a lot of example configs but I can't figure out how they're different and which one is better and how it needs to be implemented. I'm seeing that everybody's talking about XHTTP3 as being the best for security in the long run, but there're no info regarding implementation and pre-requisites. Any place I can read up on that?

What security measures am I talking about? For example when I input my VPS's IP in the browser I should be redirected to the web-site that I'm pretending to be with xray. Otherwise masking doesn't work, right? But I only managed to do so for HTTP on port 80, but when I try to enter https://IP:443 it gives me an error (ERR_HTTP2_PROTOCOL_ERROR).

Here's a summary of my current configurations:

1. Xray Configuration (/usr/local/etc/xray/config.json):

• Listening on port 443
• Using VLESS protocol with REALITY security
• Has a fallback configuration to website.com (IP_ADDRESS:443)
• Using Chrome fingerprint
• Has TCP optimization settings

2. Nginx Configuration (/etc/nginx/sites-enabled/redirect):

• Listening on port 80
• Redirects all HTTP traffic to https://www.website.com/
• Configuration looks correct for HTTP redirects

3. IPTables Rules:
   NAT Table:

• Currently empty (no NAT rules)

Filter Table:

• INPUT chain:
  • Allows loopback traffic
  • Allows established connections
  • Allows ports 80, 443, and 41xxx (used for SSH connection)
• FORWARD chain:
  • Allows established connections
  • Allows TCP port 443 to IP_ADDRESS
• OUTPUT chain:
  • Allows all outgoing traffic

Here are raw configs (with sensitive info censored):
Xray Configuration (/usr/local/etc/xray/config.json):

{
  "log": {
    "loglevel": "debug"
  },
  "inbounds": [
    {
      "port": 443,
      "protocol": "vless",
      "settings": {
        "clients": [
          {
            "id": "*********************************",
            "flow": "xtls-rprx-vision"
          }
        ],
        "decryption": "none",
        "fallbacks": [
          {
            "dest": "https://IP_ADDRESS:443",
            "xver": 0,
            "server_name": "https://website.com"
          }
        ]
      },
      "streamSettings": {
        "network": "tcp",
        "security": "reality",
        "realitySettings": {
          "show": false,
          "dest": "www.website.com:443",
          "xver": 0,
          "serverNames": [
            "www.website.com"
          ],
          "privateKey": "******************",
          "shortIds": [
            "*****************"
          ],
          "serverName": "www.website.com",
          "fingerprint": "chrome"
        }
      }
    }
  ],
  "outbounds": [
    {
      "protocol": "freedom",
      "settings": {
        "domainStrategy": "UseIP"
      },
      "streamSettings": {
        "sockopt": {
          "tcpFastOpen": true,
          "tcpKeepAliveInterval": 30
        }
      }
    }
  ]
}

Nginx Configuration (/etc/nginx/sites-enabled/redirect):

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
    return 301 https://www.website.com/$request_uri;
}

Current IPTables Rules:

NAT Table (empty)
Filter Table:

Chain INPUT (policy DROP)
ACCEPT     all  --  lo     *       [0.0.0.0/0](https://0.0.0.0/0)            [0.0.0.0/0](https://0.0.0.0/0)           
ACCEPT     all  --  *      *       [0.0.0.0/0](https://0.0.0.0/0)            [0.0.0.0/0](https://0.0.0.0/0)            state RELATED,ESTABLISHED
ACCEPT     tcp  --  *      *       [0.0.0.0/0](https://0.0.0.0/0)            [0.0.0.0/0](https://0.0.0.0/0)            tcp dpt:80
ACCEPT     tcp  --  *      *       [0.0.0.0/0](https://0.0.0.0/0)            [0.0.0.0/0](https://0.0.0.0/0)            tcp dpt:443
ACCEPT     tcp  --  *      *       [0.0.0.0/0](https://0.0.0.0/0)            [0.0.0.0/0](https://0.0.0.0/0)            tcp dpt:SSH_PORT

Chain FORWARD (policy DROP)
ACCEPT     all  --  *      *       [0.0.0.0/0](https://0.0.0.0/0)            [0.0.0.0/0](https://0.0.0.0/0)            state RELATED,ESTABLISHED
ACCEPT     tcp  --  *      *       [0.0.0.0/0](https://0.0.0.0/0)            [IP_ADDRESS](https://IP_ADDRESS/)        tcp dpt:443

Chain OUTPUT (policy ACCEPT)

I've changed the real domain name and IP address of the site I'm pretending to be.

[iopq]

I'm not sure you should be redirecting to it. H-ui sets up proxying the site content from the other URL, for example.